Updating Flash Memory on Reference Tool Target System
(1) Power off the motherboard by pressing the "POWER" switch, if it is powered on. (Refer to the
instruction manual for the Reference Tool.)
(2) The provided flash memory image file for the Reference Tool target system, ebootrom.100.0xx
(where 0xx represents the build number digits), is normally installed in
$CELL_SDK/target/bootrom/. Move into the directory and check the presence of the file in the
directory, and then start up the logical console server with the -rom option from the directory,
specifying the IP address set for the debugging Ethernet port of the Reference Tool as shown
below (where xx.xx.xx.xx represents the IP address). Note that the -at option is also mandatory.
(Refer to "Logical Console Server" in Section 7 for details of the command and its options.)
$ cd $CELL_SDK/target/bootrom/
$ ls
$ lcnslsrv -at –ip xx.xx.xx.xx -rom ebootrom.100.0xx
(3) Press the "POWER" switch to supply power to the motherboard.
It causes the Reference Tool target system to boot and several windows to open. It also causes the
program for updating the flash memory to start, read the remote flash memory image file, and
execute updating of the flash memory. Messages of the updating program will be output to the
window titled "lcterm lpid:1 lcid:10".
(4) When the following text is displayed, power to the motherboard will be automatically turned off.
System update: SUCCESS
Now you have completed the updating procedure. The updated flash memory will be used from the next
boot.

when it says "$ cd $CELL_SDK/target/bootrom/" i think that retail must have similar command...
but my intention of reply is, if you can see all that data posted above.
maybe you can see what are the first request of boot time by your method.
give it a try...

when it says "$ cd $CELL_SDK/target/bootrom/" i think that retail must have similar command...

That's just a directory change command running on the Windows/PC used for development, rather than on the PC. lcnslsrv is used to flash old (pre 1.0) devkits to 1.0, as trying to update from early flashes (eg: 0.8x) to a newer firmware could brick the devkit.

Retail boxes don't update via lcnslsrv. And new SDK firmware only appears as a .PUP format image too, so lcnslsrv isn't used anymore (unless you happen to have a really old devkit).

If you don't have any luck, there is always IRC. Those who have demonstrated via Forum posts a serious effort (you guys know who you are) should get in touch with CJPC there. He may be able to guide you in the right direction... of course, this doesn't apply to those with 1 post who are just looking to acquire such materials for "bragging rights."

I have been trying to gather some information to help you guys out but my spare time is limited.

I have my PS3 using the wireless connection so Im going to set my PC wireless card up and see what kinda information I can capture. I have lots of experience with wireshark from taking msce security courses and if there is anything useful I should be able to pick it out.

Question is does the PS3 download the category_psn.xml everytime you connect to the store (or as soon as the PS3 gets online) or does it look for an update file every Thursday knowing there should be an updated file soon.

As I thought, this DNAS Certificate when you log in, confirms to the server it's a valid PS3, and IS editable. We could definitely "hot-edit" this packet if we can get a program for it. (Working on mine, but no progress really).

We could replace "*.*.*.dl.playstation.net" with 192.168.0.100 or another IP or server. Without disconnecting the PS3 from the server!
Instant win? I believe so.

This is by far the most obvious exploit no one seemed to catch.
Now that the proof is there (hopefully), this will work if we can edit it.
I.E, Create a server with SSL capabilites to use as a proxy for everyone's PS3, also bypassing firmware updates, etc.

The server will "change" the *.*.*.dl.playstation.net to anything we want.
I'm thinking a site should be made, where a user has a custom Control panel, and can edit the server of their choice. Allowing everyone to be able to redirect their ps3, to a file anywhere.

Even when you redirect it elsewhere you only will be able to give PS3 proper packages (i.e. signed from Sony) and from what I remember about proxied methods PS3 somehow is able to detect your attempts so last time I checked you were unable to install and actually use full games.